This is current/amd64 on an APU2.
The machine is connected via pppoe over vlan over em as follows:
$ ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0d:b9:56:5e:fc
index 1 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex)
status: active
$ ifconfig vlan0
vlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0d:b9:56:5e:fc
description: UVTNET
index 7 priority 0 llprio 3
encap: vnetid 848 parent em0 txprio packet rxprio outer
groups: vlan
media: Ethernet autoselect (1000baseT full-duplex)
status: active
$ ifconfig pppoe0
pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
index 6 priority 0 llprio 3
dev: vlan0 state: session
sid: 0x1 PADI retries: 5 PADR retries: 0 time: 00:00:32
sppp: phase network authproto pap authname "X"
groups: pppoe egress
status: active
inet6 fe80::20d:b9ff:fe56:5efc%pppoe0 -> prefixlen 64 scopeid 0x6
inet 185.63.96.79 --> 10.11.5.146 netmask 0xffffffff
That works just fine, but as the pppoe0 connection is not instantenuous,
by the time pf.conf rules are evaluated, pppoe0 is still 0.0.0.0.
Reading rc(8) and the boot up sequence messages
pf enabled
net.inet.ip.forwarding: 0 -> 1
starting network
add net default: gateway 0.0.0.1
add net default: gateway fe80::%pppoe0
pf is enabled first with the default rules,
then the network interfaces get their addresses,
and then the "real" rules are applied (right?).
The pppoe0 interface is set up as follows:
$ cat /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE pppoedev vlan0 \
authproto 'pap' authname 'X' authkey 'PASS' up
dest 0.0.0.1
inet6 eui64
!/sbin/route add default 0.0.0.1
!/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0
Right after boot, it is still not entirely up:
pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
index 6 priority 0 llprio 3
dev: vlan0 state: PADI sent
sid: 0x0 PADI retries: 2 PADR retries: 0
sppp: phase establish authproto pap authname "X"
groups: pppoe egress
status: no carrier
inet 0.0.0.0 --> 0.0.0.1 netmask 0xffffffff
inet6 fe80::20d:b9ff:fe56:5efc%pppoe0 -> prefixlen 64 scopeid 0x6
and, accordingly,
# pfctl -sr
match out on egress inet from ! 0.0.0.0 to any nat-to 0.0.0.0
block drop in log quick on ! lo inet6 from ::1 to any
block drop in log quick on ! lo inet from 127.0.0.0/8 to any
block drop in log quick inet from 127.0.0.1 to any
block drop in log quick on ! pppoe0 inet from 0.0.0.0 to any
block drop in log quick inet from 0.0.0.0 to any
block drop in log quick on ! em1 inet from 192.168.11.0/24 to any
block drop in log quick inet from 192.168.11.1 to any
block drop in log quick inet6 from ::1 to any
block drop in log quick on lo0 inet6 from fe80::1 to any
block drop in log quick on pppoe0 inet6 from fe80::20d:b9ff:fe56:5efc to any
block return in log all
pass out on egress all flags S/SA
pass quick inet proto icmp all
pass in on pppoe0 inet proto tcp from any to 0.0.0.0 port = 2200 flags S/SA
rdr-to 127.0.0.1 port 22
pass in on pppoe0 inet proto tcp from any to 0.0.0.0 port = 2222 flags S/SA
rdr-to 127.0.0.1 port 22
pass in on em1 inet from 192.168.11.0/24 to any flags S/SA
Entire pf.conf below - but it's not about the indivdual rules,
the problem is that pppoe0 is 0.0.0.0, and only becomes 185.63.96.79
after pf.conf has been applied.
Is there a recommended way to deal with this?
Having physical access to the machine, I just re-run
pfctl -f /etc/pf.conf once pppoe0 gets its address;
I could do that in rc.local after a minute of sleep,
but that seems a bit crude.
Jan
set skip on lo
set block-policy return
match out on egress inet from !egress:network nat-to egress:0
antispoof log quick for { lo $ext $int }
block in log all
pass out on egress
pass quick inet proto icmp
pass in on $ext inet proto tcp to $ext port 2200 rdr-to localhost port ssh
pass in on $ext inet proto tcp to $ext port 2222 rdr-to localhost port ssh
pass in on $int inet from $int:network
